CVE-2025-14537 identifies a SQL injection vulnerability in the code-projects Class and Exam Timetable Management software version 1.0. The vulnerability resides in the /preview7.php script, where the parameter course_year_section/semester is not properly sanitized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands by manipulating this parameter, potentially leading to unauthorized data access, data modification, or denial of service via database corruption or crashes. The vulnerability does not require user interaction or privileges, making it highly accessible to attackers. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploitation has been reported, a public exploit is available, increasing the risk of exploitation. The affected product is primarily used in educational environments for managing class and exam schedules, which often contain sensitive student and institutional data. The lack of available patches or updates at the time of publication further exacerbates the risk. Organizations relying on this software should consider immediate mitigation steps to prevent exploitation.

The impact of this SQL injection vulnerability on European organizations, particularly educational institutions, can be significant. Exploitation could lead to unauthorized disclosure of sensitive student and staff data, including personal information and academic records, violating data protection regulations such as GDPR. Integrity of timetable data could be compromised, causing operational disruptions and loss of trust. Availability of the timetable management system could be affected if attackers execute destructive SQL commands, potentially disrupting academic scheduling and administrative functions. Given the remote, unauthenticated nature of the exploit, attackers can easily target vulnerable systems, increasing the likelihood of widespread compromise. The medium CVSS score reflects a moderate but tangible risk, especially in environments where this software is critical for daily operations. European organizations may face legal and reputational consequences if breaches occur due to this vulnerability.

To mitigate CVE-2025-14537, organizations should immediately implement strict input validation and sanitization for the course_year_section/semester parameter in /preview7.php, ensuring that only expected values are accepted. Employ parameterized queries or prepared statements to prevent SQL injection attacks. If possible, restrict network access to the affected application to trusted internal networks or VPNs to reduce exposure. Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. Since no official patches are currently available, consider isolating or temporarily disabling the vulnerable functionality until a fix is released. Conduct a thorough audit of database integrity and access logs to detect any prior exploitation. Educate developers and administrators on secure coding practices and the importance of timely patching. Finally, maintain regular backups of critical data to enable recovery in case of data corruption or loss.